[go: up one dir, main page]

US20140244993A1 - Method of updating the operating system of a secure microcircuit - Google Patents

Method of updating the operating system of a secure microcircuit Download PDF

Info

Publication number
US20140244993A1
US20140244993A1 US14/192,114 US201414192114A US2014244993A1 US 20140244993 A1 US20140244993 A1 US 20140244993A1 US 201414192114 A US201414192114 A US 201414192114A US 2014244993 A1 US2014244993 A1 US 2014244993A1
Authority
US
United States
Prior art keywords
microcircuit
server
operating program
program
mutual authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/192,114
Inventor
Gary Chew
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inside Secure SA
Original Assignee
Inside Secure SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inside Secure SA filed Critical Inside Secure SA
Assigned to INSIDE SECURE reassignment INSIDE SECURE ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHEW, GARY
Publication of US20140244993A1 publication Critical patent/US20140244993A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/572Secure firmware programming, e.g. of basic input output system [BIOS]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/4401Bootstrapping
    • G06F9/4406Loading of operating system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to secure microcircuits such as those embedded in smart cards, and to portable items such as mobile phones and digital tablets, incorporating such smart cards.
  • the present invention applies in particular to contact smart cards or NFC (Near Field Communication) smart cards that secure sensitive transactions such as payment transactions or accesses to a service.
  • NFC Near Field Communication
  • Smart card microcircuits generally include a processor, volatile memory and a rewritable non-volatile memory for storing programs executed by the processor and data specific to the system and to the user of the smart card, as well as other data to be retained between two transactions.
  • Programs executed by the processor typically include an operating system or program and application programs.
  • the loading of the operating program in the non-volatile memory of the microcircuit is typically performed by the manufacturer of the microcircuit.
  • the entire microcircuit and its operating program are generally certified by a very restrictive certification procedure, in order to authorize the microcircuit thereafter to conduct sensitive transactions such as payment transactions.
  • the life cycle of a secure microcircuit comprises the steps of separate hardware certification of the microcircuit and software certification of the operating program to be installed in the microcircuit.
  • the manufacturer of the microcircuit inserts in the non-volatile memory of the microcircuit a unique identifier that may be a serial number, keys specific to the microcircuit, a public key of the distributor of the microcircuit, and the operating program with associated data.
  • All these data and the operating program may be stored in a rewritable memory of the microcircuit.
  • the microcircuit After undergoing a number of tests, the microcircuit is delivered by the manufacturer to the distributor.
  • the manufacturer and/or distributor may install applications in the microcircuit respecting a certain procedure involving authentication of each application and of a server providing the application for the microcircuit, the application having been previously certified by a dedicated certification entity.
  • the distributor then controls the distribution of the microcircuit to end-users and manages the life cycle of the microcircuit.
  • Embodiments relate to a method of loading an operating program in a secure microcircuit, comprising the steps of: downloading and installing in the microcircuit a boot program, which is launched upon activation of the microcircuit, loading into the microcircuit initialization data including a first public key, performing a mutual authentication procedure between the microcircuit and a first server having a private key corresponding to the first public key, and if the mutual authentication is successful, loading from the first server operating program profile data holding a second public key, performing a mutual authentication procedure between the microcircuit and a second server having a private key corresponding to the second public key, and if the mutual authentication is successful, loading an operating program from the second server and installing it in the microcircuit, and activating the operating program when it is in the microcircuit.
  • the method comprises the steps of: performing a mutual authentication procedure between the microcircuit and a third server having a private key corresponding to a third public key held in the operating program profile data, and if the mutual authentication procedure is successful, loading an application from the third server and installing it in the microcircuit, and/or loading user data in the microcircuit.
  • the method comprises the steps of: performing a mutual authentication procedure between the microcircuit and a third server having a private key corresponding to a third public key held in the operating program profile data, and if the mutual authentication procedure is successful, running a command for erasing the operating program and operating program profile data in the microcircuit, wherein the erase command is transmitted to the microcircuit from the third server, and placing the microcircuit in a state where it is ready to receive new operating program profile data from the first server.
  • the operating program profile data and/or the operating program are transmitted in encrypted form using a secret key shared between the microcircuit and the first and/or second server during mutual authentication.
  • the method comprises a step of receiving by the microcircuit a signal for enabling a control mode wherein the microcircuit can receive commands from a server, including an operating program erase command.
  • the activation signal of the control mode includes a sequence of several reset signals received during a period of time.
  • the method comprises a step of checking the integrity of the boot program upon start-up of the microcircuit.
  • the installation of the operating program in the microcircuit is followed by an integrity check of the installed operating program, wherein the operating program is erased from the microcircuit if the integrity check fails.
  • Embodiments also relate to a secure microcircuit configured by a boot program for: loading into the microcircuit initialization data comprising a first public key, performing a mutual authentication procedure between the microcircuit and a first server having a private key corresponding to the first public key, and if the mutual authentication is successful, loading from the first server operating program profile data holding a second public key, and performing a mutual authentication procedure between the microcircuit and a second server having a private key corresponding to the second public key, and if the mutual authentication is successful, loading an operating program from the second server and installing it in the microcircuit, and activating the operating program when it is in the microcircuit.
  • the microcircuit is configured by the operating program for: performing a mutual authentication procedure between the microcircuit and a third server having a private key corresponding to a third public key held in the operating program profile data, and if the mutual authentication is successful, receiving an application from the third server and installing it in the microcircuit, and/or loading user data in the microcircuit.
  • the microcircuit is configured by the boot program for: performing a mutual authentication procedure between the microcircuit and a third server having a private key corresponding to a third public key held in the operating program profile data, and if the mutual authentication is successful, receiving from the third server and executing a command for erasing the operating program and the operating program profile data from the microcircuit, and placing the microcircuit in a state where it is ready to receive new operating program profile data from the first server.
  • the microcircuit is configured by the boot program for receiving a signal for enabling a control mode, wherein the microcircuit can receive commands from a server, including an operating program erase command.
  • control mode enable signal includes a sequence of a number of reset signals received during a period of time.
  • the microcircuit is configured by the boot program to control the integrity of the boot program at start-up of the microcircuit.
  • the microcircuit is configured by the boot program to control the integrity of the operating program once it is installed, and to erase the operating program from the microcircuit if the integrity check fails.
  • FIG. 1 schematically shows a secure microcircuit
  • FIG. 2 is a state diagram of the microcircuit of FIG. 1 , according to one embodiment,
  • FIG. 3 is a sequence of steps performed upon starting the microcircuit of FIG. 1 , according to one embodiment,
  • FIGS. 4A to 4E schematically show the content of non-volatile memories of the secure microcircuit at different states of the microcircuit of FIG. 1 , according to one embodiment
  • FIG. 5 shows mutual authentication steps of a server and the microcircuit of FIG. 1 , according to one embodiment
  • FIG. 6 shows steps performed by the microcircuit and different servers that may be authenticated by the microcircuit.
  • FIG. 1 shows a secure microcircuit SE.
  • the microcircuit SE includes a processor PRC, memories NWM, VM, NVM, communication circuits ICM, and a bus SB connecting the processor PRC to the memories NWM, NVM, VM and circuits ICM.
  • the memories include a volatile memory VM (of RAM type), and one or more non-volatile memories NWM, NVM.
  • the non-volatile memories include a rewritable memory NVM (of flash or EEPROM type) and possibly a write-once memory NWM (of ROM type).
  • the circuits ICM may include contact and/or contactless communication circuits.
  • FIG. 2 shows a state diagram of a boot program SBL for loading a secure operating system or program.
  • the program SBL is installed in the NVM or NWM memory of the microcircuit during manufacture thereof.
  • the program SBL namely includes cryptographic functions provided to secure the loading of such an operating program and associated data, and authenticate a vendor entity of the operating program, and communication functions exploiting the circuits ICM, designed to communicate with an entity that may provide an operating program and associated data.
  • the microcircuit SE At the output of the production line, and upon starting the program SBL, the microcircuit SE is in an initial state INT identified by a state variable stored in the memory NVM or in a register. In this state, the non-volatile memories NVM, NWM of the microcircuit SE contain no data specific to the microcircuit SE.
  • the receipt of an initialization signal triggers an initialization sequence. After this initialization sequence, the microcircuit SE assumes a blank condition VGN.
  • the initialization sequence introduces into the non-volatile memories NVM, NWM initialization data such as a unique identifier SEID for identifying the microcircuit, a pair of private and public keys SESK, SEPK, a public key of a server authorized to load profile data of an operating program in the memory NVM, and possibly an address to access this server.
  • the state variable of the microcircuit SE assumes state VGN.
  • the initialization date of the microcircuit may also be stored.
  • the memories NVM, NWM of the microcircuit SE therefore contain no data relative to an operating system or of an end distributor entity of the microcircuit.
  • the program SBL may assume a preloaded state PLD after receiving profile data OSPL of an operating program OS.
  • the profile data comprise the size of the OS program to be subsequently transmitted to the microcircuit SE, a memory start address for installing the OS program, a memory start address for writing the OS program data, a public key, and possibly an access address of the vendor of the OS program, a name and a checksum of the OS program.
  • the profile data may also include a date of installation of the OS program and a validity date.
  • the SBL program may assume a state ERS for erasing the OS program and the associated profile data OSPL, upon receipt of an erase request ERRQ received by the microcircuit, or a ready state RDY that may be achieved when an OS program and associated data OSPL are successfully loaded and installed in the NVM memory of the microcircuit SE.
  • the SBL program may assume the ERS state after receiving an erase request ERRQ or a disabled state KLD.
  • the ERS state may also be assumed upon receipt by the microcircuit SE of a signal relative to a critical event CEVT.
  • the SBL program erases the OS program and associated profile data OSPL in the NVM memory.
  • the microcircuit SE returns to state VGN.
  • FIG. 3 shows steps performed by the processor PRC under the control of the SBL program.
  • the processor PRC executes steps S 1 to S 5 .
  • step S 1 the processor PRC performs power-on tests and enables its ICM interface circuit.
  • step S 2 the processor tests the integrity of the SBL program, for example by calculating a checksum from the SBL program and the associated data stored in the memories NWM and/or NVM or loaded into the VM memory.
  • the S 1 step is executed only at power-on PWO of processor PRC or as a result of the activation of a boot signal RST.
  • step S 2 is executed directly upon activation of a reset or reboot signal WRST while the processor PRC is powered.
  • the processor PRC determines whether it has received a signal for assuming a control mode. If the processor PRC has received such a signal, it assumes a state where it may receive and process orders from outside the microcircuit SE (steps S 4 to S 10 ), otherwise it performs some of the steps S 11 to S 30 .
  • the control mode switch signal may be a warm boot signal combined with another signal provided to the processor PRC.
  • the control mode switch signal may also be a sequence of a specified number of warm boot signals received for a specified time. The warm boot signal sequence may be set by initialization parameters of the microcircuit SE.
  • step S 4 the processor PRC waits for an authorized command.
  • the processor PRC may only process an authentication request or a command to read non-confidential data, from the interface circuit ICM. If the received command is an authentication request RQ AUTH, the processor PRC executes step S 5 to launch a mutual authentication procedure with the sender of the request. If the received command is a non-confidential data read command, the processor PRC executes step S 7 .
  • step S 5 if the mutual authentication is completed without error, the processor PRC executes step S 6 , otherwise it executes step S 10 where the processor PRC activates the WRST signal, which causes the SBL program to run again in step S 2 .
  • step S 5 may be designed to trigger the signal CEVT for switching program OS into the erase state ERS.
  • step S 7 the processor PRC executes the read command and returns to step S 4 .
  • step S 6 the processor PRC waits for a command from circuit ICM. At this stage, the processor PRC may handle a command ERRQ to wipe the program OS installed in memory NVM, or a command for reading data that may be confidential.
  • step S 6 If the command received in step S 6 is a command for reading data, the processor executes step S 7 ′ for reading the data and returns to step S 6 . If the command received in step S 6 is an erase command ERRQ, the processor PRC executes step S 8 . In this step, the processor checks if the current state SBST of the microcircuit SE is compatible with the execution of the ERRQ command, that is to say, if the state SBST is RDY or PLD (according to the state diagram of FIG. 3 ). If the state of microcircuit SE is not compatible with the execution of an erase command ERRQ, the processor PRC executes step S 10 where it triggers the emission of a warm boot signal WRST (to return to step S 2 ). Otherwise, the processor PRC executes the steps S 9 and S 10 . In step S 9 , the processor PRC changes the state SBST of microcircuit SE to switch it to state ERS (according to the state diagram of FIG. 3 ).
  • step S 11 the processor PRC tests the SBST state of microcircuit SE. If the SBST state is INT, the processor executes the steps S 12 to S 14 . If the SBST state is VGN, it executes the steps S 15 to S 19 . If the SBST state is PLD, it executes the steps S 20 to S 27 . If the SBST state is RDY, it executes step S 30 where it activates the program OS previously installed in steps S 17 to S 29 . If the SBST state is ERS, it executes the steps S 28 and S 29 .
  • step S 12 the processor PRC waits for an initialization command from the ICM circuit.
  • the processor performs the steps S 13 , S 14 and S 27 corresponding to the transition between states INT and VGN. Access to step S 12 may be protected by an optionally encrypted password, which is written in the memory NVM during the manufacture of the microcircuit.
  • step S 13 the processor PRC loads initialization data transmitted with the received command in the memory NVM.
  • step S 14 the processor sets the SBST state of microcircuit SE to VGN.
  • step S 27 the processor PRC activates the WRST signal, thereby reactivating the SBL program in step S 2 .
  • the processor PRC waits for an authentication request received by the interface circuit ICM.
  • the processor executes a mutual authentication procedure with a server in communication with the microcircuit SE. If the authentication procedure fails, the processor PRC directly executes the step S 27 , otherwise it executes the steps S 17 to S 19 , then S 27 .
  • the processor PRC waits for a command to load profile data of an operating program OSPL. When this command is received, the processor loads the received data (step S 18 ).
  • the processor PRC changes the state SBST of the microcircuit to PLD.
  • step S 20 the microcircuit SE being in state PLD, the processor PRC waits for an authentication request RQ AUTH received by the interface circuit ICM.
  • step S 21 the processor executes the mutual authentication procedure with a server in communication with the microcircuit SE. If the authentication procedure fails, the processor PRC executes step S 27 , otherwise it executes the steps S 22 to S 24 .
  • step S 22 the processor PRC waits for a first message for downloading an operating program OS.
  • step S 23 it executes a procedure for loading and installing the OS program.
  • step S 24 it executes a procedure for verifying the integrity of the loaded and installed program OS, for example, by calculating a checksum and comparing the value obtained with an expected value.
  • step S 25 the processor sets the state SBST of the microcircuit SE to ERS, otherwise it executes step S 24 where it sets the state to RDY.
  • step S 27 the processor PRC executes the step S 27 to reactivate the procedure from step S 2 .
  • step S 28 with the microcircuit SE in state ERS, the processor PRC executes the command ERRQ to erase the OS program. Then, the processor executes the steps S 29 and S 27 , where it sets the state SBST of microcircuit SE to VGN and activates the signal WRST.
  • the processor PRC starts executing the OS program.
  • the OS program may send to the server that transmitted the OS program to microcircuit SE, a message containing a log of the OS program installation.
  • the microcircuit SE is then ready to receive customization data relating to a user of the microcircuit.
  • the microcircuit SE may also receive one or more applications, each for enabling a transaction of a specific type with a terminal of a specific type.
  • FIGS. 4A to 4E show the content of non-volatile memory NVM, and optionally NWM, of the microcircuit SE in the various states shown in FIG. 2 .
  • FIG. 4A shows the contents of the memories NWM, NVM in state INT, that is to say at the end of manufacturing of the microcircuit. In the NT state, the memory NVM/NWM simply contains the SBL program and the state variable SBST is initialized to INT.
  • FIG. 4B shows the contents of memories NWM, NVM in state VGN.
  • the memory NVM/NWM further contains an identifier OIA of microcircuit SE, such as a serial number, a pair of public and private keys SEPK, SESK, as well as information relating to a server authorized to load profile data of an operating program OSPL in the non-volatile memory NVM of microcircuit SE.
  • Information about the authorized server includes a public key SRSK and possibly an address SRVA or identifier of this server.
  • FIG. 4C shows the contents of memories NWM, NVM in the PLD state.
  • the NVM memory contains, in addition to the data of the VGN state, data ORDT relative to the operating program OS that may be loaded into the NVM memory, a public key OPPK of an entity authorized to load the OS program, and a public key of a vendor of the microcircuit SE.
  • the data ORDT relating to the OS program include an identifier of the program, the size of the OS program and a start address for loading the program in the NVM memory, the data size of the OS program and a start address for loading the data into the NVM memory, integrity data for the program, such as a checksum, and possibly the date of loading the data into the NVM memory.
  • FIG. 4D shows the contents of memories NWM, NVM in the RDY state.
  • memory NVM contains, in addition to the data of the PLD state, the installed OS program and data OSD for the OS program.
  • FIG. 4E shows the contents of memories NWM, NVM in the RDY state, after loading and installing applications AP1, AP2, AP3.
  • the memories NWM, NVM shown in FIGS. 4C-4E may also be in the ERS state if an authenticated erase command ERRQ has been sent to the microcircuit SE, but has not been processed yet.
  • the OS program can manage memory space for application execution, by loading the executable code of an application to run in the VM memory, assigning the application a specific isolated execution space in memory, and ensuring an interface between the application and the hardware resources of the microcircuit SE, such as the communication interface ICM, a cryptographic coprocessor, and memories VM, NVM.
  • the SBL program can in no way be considered as an operating program or system compared to the OS program that, in turn, cannot be considered as an application program compared to the SBL program.
  • the SBL program only performs, at start-up of the microcircuit SE, a set of tests (steps S 1 , S 2 ) before handing over execution to the OS program. Therefore, the SBL program does not ensure loading the OS program in memory VM for execution, nor the interface between the OS program and hardware resources of the microcircuit SE, nor the allocation of a volatile memory space for the OS program execution.
  • the OS program has its own resources that are not shared with the SBL program.
  • the OS program itself ensures the control of the interface circuits ICM and has cryptographic functions. If the processor PRC has an interruption vector table or exception vectors, the installation of the OS program reconfigures the table, with the exception of vectors corresponding to the power-on, initialization and reset signals PWO, RST, WRST.
  • FIG. 5 shows steps of the authentication procedure performed in steps S 5 , S 16 and S 21 .
  • This procedure includes steps S 41 to S 54 performed by the microcircuit SE and server SRV.
  • the microcircuit SE and server SRV may communicate with each other by any means, for example via a contact or contactless reader, to which the microcircuit SE can connect.
  • the microcircuit SE may also be inserted into a mobile phone and communicate with the server SRV via a processor of the phone and a communication link using a communication interface of the phone (GSM/3G/LTE/USB/WIFI . . . ).
  • the server SRV holds the identifier SEID and the public key SEPK of the microcircuit SE, both of which may be stored in a database SEDB of identifiers for microcircuits in service.
  • the server SRV establishes a communication with the microcircuit SE and issues a command for selecting the SBL program. This command may conform to the APDU (Application Protocol Data Unit) protocol defined by the ISO 7816 standard.
  • the processor PRC of microcircuit SE generates a random number SBR.
  • the processor PRC transmits in response to server SRV an authentication request containing the number SBR.
  • the server SRV generates a random number SRR, and calculates a signature SRS using a cryptographic function SGN applied to the random number SBR received from the microcircuit SE and to the generated random number SRR, using a private key SRSK of the server SRV corresponding to the public key SRPK stored by the microcircuit SE.
  • the server SRV transmits to the microcircuit SE an authentication request containing the random number SRR and signature SRS.
  • the processor PRC applies to the received signature SRS a cryptographic function SGN′ corresponding to function SGN, using the public key SRPK of the server SRV. Under these conditions, the function SGN′ provides numbers SBR′ and SRR′.
  • step S 47 the processor PRC compares the numbers SBR′ and SBR, and the numbers SRR′ and SRR.
  • steps S 48 and S 49 the processor PRC updates an authentication token AUTH based on the result of these comparisons.
  • Step S 48 is executed if the numbers SBR′ and SBR match and if the numbers SRR′ and SRR match, which means that the server SRV holds the private key SRSK corresponding to the public key SRPK stored by the microcircuit SE and has properly authenticated.
  • the processor PRC also calculates a signature SES using the function SGN on the numbers SBR and SRR, using its private key SESK.
  • the processor PRC also generates a secret SK by applying a cryptographic function CF1 to the public keys SEPK and SRPK of the microcircuit SE and server SRV, and calculates a session key SSK by applying a cryptographic function CF2 to the secret SK and random numbers SBR and SRR.
  • the function CF1 may be a Diffie-Hellman function, for example, applied to points of an elliptic curve in a finite field.
  • the function CF2 may be an irreversible function such as a hash function, e.g. SHA-1.
  • the step S 50 is executed by the processor PRC following step S 48 or S 49 . In step S 50 , the processor PRC transmits to the server SRV the authentication indicator AUTH and possibly signature SES.
  • the server SRV receives the AUTH token and possibly the signature SES, and tests the value of the AUTH token.
  • the server SRV performs the steps S 52 to S 54 only if the AUTH token indicates that the microcircuit SE has authenticated the server SRV.
  • steps S 52 , S 53 the server SRV verifies the signature SES in the same manner as in steps S 46 and S 47 . If the signature SES is wrong, the server SRV terminates the procedure, possibly by sending an error message to the microcircuit SE. Otherwise, the server SRV performs step S 54 where it calculates the secret SK and the session key SSK, in the same manner as in step S 48 .
  • the server SRV and the microcircuit are then ready to exchange data securely and confidentially with the session key SSK.
  • FIG. 6 shows steps S 61 to S 69 executed by the microcircuit SE under control of program SBL and by servers MSRV, OSRV and ISRV.
  • Steps S 61 to S 63 are executed with the server MSRV that represents a server of the microcircuit manufacturer.
  • Step S 61 represents the loading of the initialization data of the SBL program (step S 13 ).
  • Step S 61 enables the microcircuit SE to switch from state INT to state VGN.
  • Step S 61 may be followed by the transmission of a command or an authentication request.
  • Step S 62 represents a mutual authentication procedure performed by the server MSRV and the microcircuit SE, following the transmission to the microcircuit of an authentication request. If the authentication procedure is successful, the step S 62 may be followed by step S 63 for loading operating program profile data OSP.
  • Step S 63 switches the microcircuit SE in the PLD state.
  • the steps S 64 and S 65 may be performed by a vendor of the OS program, the OSP data including for this purpose the public key OPPK of the server OSRV that is authorized to load the OS program in the microcircuit SE.
  • the server OSRV and the microcircuit SE perform a mutual authentication. If the authentication procedure is successful, step S 64 may be followed by step S 65 for loading an operating program OS. If step S 65 runs correctly, microcircuit SE switches to the RDY state.
  • Steps S 66 to S 69 may be performed by the microcircuit in the RDY state and by the server ISRV of a vendor of the microcircuit SE, whose public key ISPK is held in the data profile of the OS program.
  • the server ISRV and the microcircuit SE perform a mutual authentication. If the authentication procedure is successful, the step S 66 may be followed by step S 67 for loading one or more applications AP1, AP2, AP3, and data relating to the recipient of microcircuit SE.
  • step S 68 the server ISRV and the microcircuit SE perform a new mutual authentication procedure.
  • step S 68 may be followed by step S 69 to execute an erase command transmitted by the server ISRV to the microcircuit SE.
  • the microcircuit SE goes successively through the ERS and VGN states. In the VGN state, only the server MSRV whose public key is held in the initialization data of the SBL program may reload operating program profile data OSP (steps S 62 , S 63 ). The microcircuit SE may then receive from another server referenced in the profile data loaded in step S 63 , an operating program (steps S 64 , S 65 ) and application data (steps S 66 , S 67 ).
  • the present invention is susceptible to various alternatives and applications.
  • the invention is not limited to executing an erase procedure of an operating system or program previously installed in the microcircuit. Indeed, although the deletion of such a program is envisaged, the microcircuit may operate throughout its life time with the same operating program.
  • the installation of applications in the microcircuit following the operating program installation is not required.
  • the operating program installed in the microcircuit may itself include functions or applications allowing the microcircuit to perform certain transactions or to access a service.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A method of loading an operating program in a secure microcircuit, includes the steps of: downloading and installing in the microcircuit a boot program, which is launched upon activation of the microcircuit, loading into the microcircuit initialization data including a first public key, performing a mutual authentication procedure between the microcircuit and a first server having a private key corresponding to the first public key, and if the mutual authentication is successful, loading from the first server operating program profile data holding a second public key, performing a mutual authentication procedure between the microcircuit and a second server having a private key corresponding to the second public key, and if the mutual authentication is successful, loading an operating program from the second server and installing it in the microcircuit, and activating the operating program when it is in the microcircuit.

Description

    FIELD
  • The present invention relates to secure microcircuits such as those embedded in smart cards, and to portable items such as mobile phones and digital tablets, incorporating such smart cards.
  • The present invention applies in particular to contact smart cards or NFC (Near Field Communication) smart cards that secure sensitive transactions such as payment transactions or accesses to a service.
    • BACKGROUND
  • Smart card microcircuits generally include a processor, volatile memory and a rewritable non-volatile memory for storing programs executed by the processor and data specific to the system and to the user of the smart card, as well as other data to be retained between two transactions. Programs executed by the processor typically include an operating system or program and application programs.
  • For security reasons, the loading of the operating program in the non-volatile memory of the microcircuit is typically performed by the manufacturer of the microcircuit. The entire microcircuit and its operating program are generally certified by a very restrictive certification procedure, in order to authorize the microcircuit thereafter to conduct sensitive transactions such as payment transactions. Traditionally, the life cycle of a secure microcircuit comprises the steps of separate hardware certification of the microcircuit and software certification of the operating program to be installed in the microcircuit. Once the microcircuit is manufactured, the manufacturer of the microcircuit inserts in the non-volatile memory of the microcircuit a unique identifier that may be a serial number, keys specific to the microcircuit, a public key of the distributor of the microcircuit, and the operating program with associated data. All these data and the operating program may be stored in a rewritable memory of the microcircuit. After undergoing a number of tests, the microcircuit is delivered by the manufacturer to the distributor. The manufacturer and/or distributor may install applications in the microcircuit respecting a certain procedure involving authentication of each application and of a server providing the application for the microcircuit, the application having been previously certified by a dedicated certification entity. The distributor then controls the distribution of the microcircuit to end-users and manages the life cycle of the microcircuit.
  • Once the microcircuit and the installed operating program are certified as a whole, it is no longer possible to change the operating program without subjecting both to a new certification procedure. However, a need to change the operating program of a secure microcircuit may arise, especially so that microcircuits already in service may benefit from updates to the operating program, or may receive a new operating program, issued for example by another entity.
    • SUMMARY
  • Embodiments relate to a method of loading an operating program in a secure microcircuit, comprising the steps of: downloading and installing in the microcircuit a boot program, which is launched upon activation of the microcircuit, loading into the microcircuit initialization data including a first public key, performing a mutual authentication procedure between the microcircuit and a first server having a private key corresponding to the first public key, and if the mutual authentication is successful, loading from the first server operating program profile data holding a second public key, performing a mutual authentication procedure between the microcircuit and a second server having a private key corresponding to the second public key, and if the mutual authentication is successful, loading an operating program from the second server and installing it in the microcircuit, and activating the operating program when it is in the microcircuit.
  • According to an embodiment, the method comprises the steps of: performing a mutual authentication procedure between the microcircuit and a third server having a private key corresponding to a third public key held in the operating program profile data, and if the mutual authentication procedure is successful, loading an application from the third server and installing it in the microcircuit, and/or loading user data in the microcircuit.
  • According to an embodiment, the method comprises the steps of: performing a mutual authentication procedure between the microcircuit and a third server having a private key corresponding to a third public key held in the operating program profile data, and if the mutual authentication procedure is successful, running a command for erasing the operating program and operating program profile data in the microcircuit, wherein the erase command is transmitted to the microcircuit from the third server, and placing the microcircuit in a state where it is ready to receive new operating program profile data from the first server.
  • According to an embodiment, the operating program profile data and/or the operating program are transmitted in encrypted form using a secret key shared between the microcircuit and the first and/or second server during mutual authentication.
  • According to an embodiment, the method comprises a step of receiving by the microcircuit a signal for enabling a control mode wherein the microcircuit can receive commands from a server, including an operating program erase command.
  • According to an embodiment, the activation signal of the control mode includes a sequence of several reset signals received during a period of time.
  • According to an embodiment, the method comprises a step of checking the integrity of the boot program upon start-up of the microcircuit.
  • According to an embodiment, the installation of the operating program in the microcircuit is followed by an integrity check of the installed operating program, wherein the operating program is erased from the microcircuit if the integrity check fails.
  • Embodiments also relate to a secure microcircuit configured by a boot program for: loading into the microcircuit initialization data comprising a first public key, performing a mutual authentication procedure between the microcircuit and a first server having a private key corresponding to the first public key, and if the mutual authentication is successful, loading from the first server operating program profile data holding a second public key, and performing a mutual authentication procedure between the microcircuit and a second server having a private key corresponding to the second public key, and if the mutual authentication is successful, loading an operating program from the second server and installing it in the microcircuit, and activating the operating program when it is in the microcircuit.
  • According to an embodiment, the microcircuit is configured by the operating program for: performing a mutual authentication procedure between the microcircuit and a third server having a private key corresponding to a third public key held in the operating program profile data, and if the mutual authentication is successful, receiving an application from the third server and installing it in the microcircuit, and/or loading user data in the microcircuit.
  • According to an embodiment, the microcircuit is configured by the boot program for: performing a mutual authentication procedure between the microcircuit and a third server having a private key corresponding to a third public key held in the operating program profile data, and if the mutual authentication is successful, receiving from the third server and executing a command for erasing the operating program and the operating program profile data from the microcircuit, and placing the microcircuit in a state where it is ready to receive new operating program profile data from the first server.
  • According to an embodiment, the microcircuit is configured by the boot program for receiving a signal for enabling a control mode, wherein the microcircuit can receive commands from a server, including an operating program erase command.
  • According to an embodiment, the control mode enable signal includes a sequence of a number of reset signals received during a period of time.
  • According to an embodiment, the microcircuit is configured by the boot program to control the integrity of the boot program at start-up of the microcircuit.
  • According to an embodiment, the microcircuit is configured by the boot program to control the integrity of the operating program once it is installed, and to erase the operating program from the microcircuit if the integrity check fails.
    • BRIEF DESCRIPTION OF DRAWINGS
  • Other advantages and features will become more clearly apparent from the following description of particular embodiments of the invention provided for exemplary purposes only and represented in the appended drawings, in which:
  • FIG. 1 schematically shows a secure microcircuit,
  • FIG. 2 is a state diagram of the microcircuit of FIG. 1, according to one embodiment,
  • FIG. 3 is a sequence of steps performed upon starting the microcircuit of FIG. 1, according to one embodiment,
  • FIGS. 4A to 4E schematically show the content of non-volatile memories of the secure microcircuit at different states of the microcircuit of FIG. 1, according to one embodiment,
  • FIG. 5 shows mutual authentication steps of a server and the microcircuit of FIG. 1, according to one embodiment,
  • FIG. 6 shows steps performed by the microcircuit and different servers that may be authenticated by the microcircuit.
    •  DESCRIPTION OF EMBODIMENTS
  • FIG. 1 shows a secure microcircuit SE. The microcircuit SE includes a processor PRC, memories NWM, VM, NVM, communication circuits ICM, and a bus SB connecting the processor PRC to the memories NWM, NVM, VM and circuits ICM. The memories include a volatile memory VM (of RAM type), and one or more non-volatile memories NWM, NVM. The non-volatile memories include a rewritable memory NVM (of flash or EEPROM type) and possibly a write-once memory NWM (of ROM type). The circuits ICM may include contact and/or contactless communication circuits.
  • FIG. 2 shows a state diagram of a boot program SBL for loading a secure operating system or program. The program SBL is installed in the NVM or NWM memory of the microcircuit during manufacture thereof. The program SBL namely includes cryptographic functions provided to secure the loading of such an operating program and associated data, and authenticate a vendor entity of the operating program, and communication functions exploiting the circuits ICM, designed to communicate with an entity that may provide an operating program and associated data.
  • At the output of the production line, and upon starting the program SBL, the microcircuit SE is in an initial state INT identified by a state variable stored in the memory NVM or in a register. In this state, the non-volatile memories NVM, NWM of the microcircuit SE contain no data specific to the microcircuit SE. The receipt of an initialization signal triggers an initialization sequence. After this initialization sequence, the microcircuit SE assumes a blank condition VGN. The initialization sequence introduces into the non-volatile memories NVM, NWM initialization data such as a unique identifier SEID for identifying the microcircuit, a pair of private and public keys SESK, SEPK, a public key of a server authorized to load profile data of an operating program in the memory NVM, and possibly an address to access this server. The state variable of the microcircuit SE assumes state VGN. The initialization date of the microcircuit may also be stored. In state VGN, the memories NVM, NWM of the microcircuit SE therefore contain no data relative to an operating system or of an end distributor entity of the microcircuit. In state VGN, the program SBL may assume a preloaded state PLD after receiving profile data OSPL of an operating program OS. The profile data comprise the size of the OS program to be subsequently transmitted to the microcircuit SE, a memory start address for installing the OS program, a memory start address for writing the OS program data, a public key, and possibly an access address of the vendor of the OS program, a name and a checksum of the OS program. The profile data may also include a date of installation of the OS program and a validity date. In the PLD state, the SBL program may assume a state ERS for erasing the OS program and the associated profile data OSPL, upon receipt of an erase request ERRQ received by the microcircuit, or a ready state RDY that may be achieved when an OS program and associated data OSPL are successfully loaded and installed in the NVM memory of the microcircuit SE. In the RDY state, the SBL program may assume the ERS state after receiving an erase request ERRQ or a disabled state KLD. The ERS state may also be assumed upon receipt by the microcircuit SE of a signal relative to a critical event CEVT. In the ERS state, the SBL program erases the OS program and associated profile data OSPL in the NVM memory. At the end of the erase procedure, the microcircuit SE returns to state VGN.
  • FIG. 3 shows steps performed by the processor PRC under the control of the SBL program. At power-on PWO or following the activation of a cold boot signal RST, the processor PRC executes steps S1 to S5. In step S1, the processor PRC performs power-on tests and enables its ICM interface circuit. In step S2, the processor tests the integrity of the SBL program, for example by calculating a checksum from the SBL program and the associated data stored in the memories NWM and/or NVM or loaded into the VM memory. The S1 step is executed only at power-on PWO of processor PRC or as a result of the activation of a boot signal RST. In contrast, the step S2 is executed directly upon activation of a reset or reboot signal WRST while the processor PRC is powered. In step S3, the processor PRC determines whether it has received a signal for assuming a control mode. If the processor PRC has received such a signal, it assumes a state where it may receive and process orders from outside the microcircuit SE (steps S4 to S10), otherwise it performs some of the steps S11 to S30. The control mode switch signal may be a warm boot signal combined with another signal provided to the processor PRC. The control mode switch signal may also be a sequence of a specified number of warm boot signals received for a specified time. The warm boot signal sequence may be set by initialization parameters of the microcircuit SE.
  • In step S4, the processor PRC waits for an authorized command. In step S4, the processor PRC may only process an authentication request or a command to read non-confidential data, from the interface circuit ICM. If the received command is an authentication request RQ AUTH, the processor PRC executes step S5 to launch a mutual authentication procedure with the sender of the request. If the received command is a non-confidential data read command, the processor PRC executes step S7. In step S5, if the mutual authentication is completed without error, the processor PRC executes step S6, otherwise it executes step S10 where the processor PRC activates the WRST signal, which causes the SBL program to run again in step S2. Several authentication failures in step S5 may be designed to trigger the signal CEVT for switching program OS into the erase state ERS. In step S7, the processor PRC executes the read command and returns to step S4. In step S6, the processor PRC waits for a command from circuit ICM. At this stage, the processor PRC may handle a command ERRQ to wipe the program OS installed in memory NVM, or a command for reading data that may be confidential.
  • If the command received in step S6 is a command for reading data, the processor executes step S7′ for reading the data and returns to step S6. If the command received in step S6 is an erase command ERRQ, the processor PRC executes step S8. In this step, the processor checks if the current state SBST of the microcircuit SE is compatible with the execution of the ERRQ command, that is to say, if the state SBST is RDY or PLD (according to the state diagram of FIG. 3). If the state of microcircuit SE is not compatible with the execution of an erase command ERRQ, the processor PRC executes step S10 where it triggers the emission of a warm boot signal WRST (to return to step S2). Otherwise, the processor PRC executes the steps S9 and S10. In step S9, the processor PRC changes the state SBST of microcircuit SE to switch it to state ERS (according to the state diagram of FIG. 3).
  • In step S11, the processor PRC tests the SBST state of microcircuit SE. If the SBST state is INT, the processor executes the steps S12 to S14. If the SBST state is VGN, it executes the steps S15 to S19. If the SBST state is PLD, it executes the steps S20 to S27. If the SBST state is RDY, it executes step S30 where it activates the program OS previously installed in steps S17 to S29. If the SBST state is ERS, it executes the steps S28 and S29.
  • In step S12, the processor PRC waits for an initialization command from the ICM circuit. When the initialization command is received, the processor performs the steps S13, S14 and S27 corresponding to the transition between states INT and VGN. Access to step S12 may be protected by an optionally encrypted password, which is written in the memory NVM during the manufacture of the microcircuit. At step S13, the processor PRC loads initialization data transmitted with the received command in the memory NVM. In step S14, the processor sets the SBST state of microcircuit SE to VGN. At step S27, the processor PRC activates the WRST signal, thereby reactivating the SBL program in step S2.
  • At step S15, the microcircuit is in the VGN state, the processor PRC waits for an authentication request received by the interface circuit ICM. At step S16, the processor executes a mutual authentication procedure with a server in communication with the microcircuit SE. If the authentication procedure fails, the processor PRC directly executes the step S27, otherwise it executes the steps S17 to S19, then S27. At step S17, the processor PRC waits for a command to load profile data of an operating program OSPL. When this command is received, the processor loads the received data (step S18). At step S19, the processor PRC changes the state SBST of the microcircuit to PLD.
  • In step S20, the microcircuit SE being in state PLD, the processor PRC waits for an authentication request RQ AUTH received by the interface circuit ICM. In step S21, the processor executes the mutual authentication procedure with a server in communication with the microcircuit SE. If the authentication procedure fails, the processor PRC executes step S27, otherwise it executes the steps S22 to S24. In step S22, the processor PRC waits for a first message for downloading an operating program OS. At step S23, it executes a procedure for loading and installing the OS program. In step S24, it executes a procedure for verifying the integrity of the loaded and installed program OS, for example, by calculating a checksum and comparing the value obtained with an expected value. If the verification of the installed OS program fails, the processor executes step S25 where it sets the state SBST of the microcircuit SE to ERS, otherwise it executes step S24 where it sets the state to RDY. Following the steps S24 and S25, the processor PRC executes the step S27 to reactivate the procedure from step S2.
  • In step S28, with the microcircuit SE in state ERS, the processor PRC executes the command ERRQ to erase the OS program. Then, the processor executes the steps S29 and S27, where it sets the state SBST of microcircuit SE to VGN and activates the signal WRST.
  • In the RDY state in step S11 (following receipt of the signal WRST), the processor PRC starts executing the OS program. At its first activation, the OS program may send to the server that transmitted the OS program to microcircuit SE, a message containing a log of the OS program installation. The microcircuit SE is then ready to receive customization data relating to a user of the microcircuit. The microcircuit SE may also receive one or more applications, each for enabling a transaction of a specific type with a terminal of a specific type.
  • FIGS. 4A to 4E show the content of non-volatile memory NVM, and optionally NWM, of the microcircuit SE in the various states shown in FIG. 2. FIG. 4A shows the contents of the memories NWM, NVM in state INT, that is to say at the end of manufacturing of the microcircuit. In the NT state, the memory NVM/NWM simply contains the SBL program and the state variable SBST is initialized to INT. FIG. 4B shows the contents of memories NWM, NVM in state VGN. In the VGN state, the memory NVM/NWM further contains an identifier OIA of microcircuit SE, such as a serial number, a pair of public and private keys SEPK, SESK, as well as information relating to a server authorized to load profile data of an operating program OSPL in the non-volatile memory NVM of microcircuit SE. Information about the authorized server includes a public key SRSK and possibly an address SRVA or identifier of this server.
  • FIG. 4C shows the contents of memories NWM, NVM in the PLD state. In the PLD state, the NVM memory contains, in addition to the data of the VGN state, data ORDT relative to the operating program OS that may be loaded into the NVM memory, a public key OPPK of an entity authorized to load the OS program, and a public key of a vendor of the microcircuit SE. The data ORDT relating to the OS program include an identifier of the program, the size of the OS program and a start address for loading the program in the NVM memory, the data size of the OS program and a start address for loading the data into the NVM memory, integrity data for the program, such as a checksum, and possibly the date of loading the data into the NVM memory.
  • FIG. 4D shows the contents of memories NWM, NVM in the RDY state. In the RDY state, memory NVM contains, in addition to the data of the PLD state, the installed OS program and data OSD for the OS program. FIG. 4E shows the contents of memories NWM, NVM in the RDY state, after loading and installing applications AP1, AP2, AP3.
  • The memories NWM, NVM shown in FIGS. 4C-4E may also be in the ERS state if an authenticated erase command ERRQ has been sent to the microcircuit SE, but has not been processed yet.
  • Only the OS program, not the SBL program, may ensure loading and installing of applications AP1, AP2, AP3, and management of memories VM and NVM for the storage and manipulation of application data. Generally, only the OS program can manage memory space for application execution, by loading the executable code of an application to run in the VM memory, assigning the application a specific isolated execution space in memory, and ensuring an interface between the application and the hardware resources of the microcircuit SE, such as the communication interface ICM, a cryptographic coprocessor, and memories VM, NVM. It should be noted that the SBL program can in no way be considered as an operating program or system compared to the OS program that, in turn, cannot be considered as an application program compared to the SBL program. Indeed, once the OS program is installed (while the microcircuit SE is in the RDY state), the SBL program only performs, at start-up of the microcircuit SE, a set of tests (steps S1, S2) before handing over execution to the OS program. Therefore, the SBL program does not ensure loading the OS program in memory VM for execution, nor the interface between the OS program and hardware resources of the microcircuit SE, nor the allocation of a volatile memory space for the OS program execution.
  • According to an embodiment, the OS program has its own resources that are not shared with the SBL program. Thus, the OS program itself ensures the control of the interface circuits ICM and has cryptographic functions. If the processor PRC has an interruption vector table or exception vectors, the installation of the OS program reconfigures the table, with the exception of vectors corresponding to the power-on, initialization and reset signals PWO, RST, WRST.
  • FIG. 5 shows steps of the authentication procedure performed in steps S5, S16 and S21. This procedure includes steps S41 to S54 performed by the microcircuit SE and server SRV. The microcircuit SE and server SRV may communicate with each other by any means, for example via a contact or contactless reader, to which the microcircuit SE can connect. The microcircuit SE may also be inserted into a mobile phone and communicate with the server SRV via a processor of the phone and a communication link using a communication interface of the phone (GSM/3G/LTE/USB/WIFI . . . ).
  • The server SRV holds the identifier SEID and the public key SEPK of the microcircuit SE, both of which may be stored in a database SEDB of identifiers for microcircuits in service. In step S41, the server SRV establishes a communication with the microcircuit SE and issues a command for selecting the SBL program. This command may conform to the APDU (Application Protocol Data Unit) protocol defined by the ISO 7816 standard. At step S42, the processor PRC of microcircuit SE generates a random number SBR. At step S43, the processor PRC transmits in response to server SRV an authentication request containing the number SBR. At step S44, the server SRV generates a random number SRR, and calculates a signature SRS using a cryptographic function SGN applied to the random number SBR received from the microcircuit SE and to the generated random number SRR, using a private key SRSK of the server SRV corresponding to the public key SRPK stored by the microcircuit SE. At step S45, the server SRV transmits to the microcircuit SE an authentication request containing the random number SRR and signature SRS. At step S46, the processor PRC applies to the received signature SRS a cryptographic function SGN′ corresponding to function SGN, using the public key SRPK of the server SRV. Under these conditions, the function SGN′ provides numbers SBR′ and SRR′. In step S47, the processor PRC compares the numbers SBR′ and SBR, and the numbers SRR′ and SRR. In steps S48 and S49, the processor PRC updates an authentication token AUTH based on the result of these comparisons. Step S48 is executed if the numbers SBR′ and SBR match and if the numbers SRR′ and SRR match, which means that the server SRV holds the private key SRSK corresponding to the public key SRPK stored by the microcircuit SE and has properly authenticated. At step S48, the processor PRC also calculates a signature SES using the function SGN on the numbers SBR and SRR, using its private key SESK. The processor PRC also generates a secret SK by applying a cryptographic function CF1 to the public keys SEPK and SRPK of the microcircuit SE and server SRV, and calculates a session key SSK by applying a cryptographic function CF2 to the secret SK and random numbers SBR and SRR. The function CF1 may be a Diffie-Hellman function, for example, applied to points of an elliptic curve in a finite field. The function CF2 may be an irreversible function such as a hash function, e.g. SHA-1. The step S50 is executed by the processor PRC following step S48 or S49. In step S50, the processor PRC transmits to the server SRV the authentication indicator AUTH and possibly signature SES.
  • At step S51, the server SRV receives the AUTH token and possibly the signature SES, and tests the value of the AUTH token. The server SRV performs the steps S52 to S54 only if the AUTH token indicates that the microcircuit SE has authenticated the server SRV. In steps S52, S53, the server SRV verifies the signature SES in the same manner as in steps S46 and S47. If the signature SES is wrong, the server SRV terminates the procedure, possibly by sending an error message to the microcircuit SE. Otherwise, the server SRV performs step S54 where it calculates the secret SK and the session key SSK, in the same manner as in step S48. The server SRV and the microcircuit are then ready to exchange data securely and confidentially with the session key SSK.
  • FIG. 6 shows steps S61 to S69 executed by the microcircuit SE under control of program SBL and by servers MSRV, OSRV and ISRV. Steps S61 to S63 are executed with the server MSRV that represents a server of the microcircuit manufacturer. Step S61 represents the loading of the initialization data of the SBL program (step S13). Step S61 enables the microcircuit SE to switch from state INT to state VGN. Step S61 may be followed by the transmission of a command or an authentication request. Step S62 represents a mutual authentication procedure performed by the server MSRV and the microcircuit SE, following the transmission to the microcircuit of an authentication request. If the authentication procedure is successful, the step S62 may be followed by step S63 for loading operating program profile data OSP. Step S63 switches the microcircuit SE in the PLD state.
  • The steps S64 and S65 may be performed by a vendor of the OS program, the OSP data including for this purpose the public key OPPK of the server OSRV that is authorized to load the OS program in the microcircuit SE. At step S64, the server OSRV and the microcircuit SE perform a mutual authentication. If the authentication procedure is successful, step S64 may be followed by step S65 for loading an operating program OS. If step S65 runs correctly, microcircuit SE switches to the RDY state.
  • Steps S66 to S69 may be performed by the microcircuit in the RDY state and by the server ISRV of a vendor of the microcircuit SE, whose public key ISPK is held in the data profile of the OS program. At step S66, the server ISRV and the microcircuit SE perform a mutual authentication. If the authentication procedure is successful, the step S66 may be followed by step S67 for loading one or more applications AP1, AP2, AP3, and data relating to the recipient of microcircuit SE. At step S68, the server ISRV and the microcircuit SE perform a new mutual authentication procedure. If the authentication procedure is successful, the step S68 may be followed by step S69 to execute an erase command transmitted by the server ISRV to the microcircuit SE. During the execution of the erase command, the microcircuit SE goes successively through the ERS and VGN states. In the VGN state, only the server MSRV whose public key is held in the initialization data of the SBL program may reload operating program profile data OSP (steps S62, S63). The microcircuit SE may then receive from another server referenced in the profile data loaded in step S63, an operating program (steps S64, S65) and application data (steps S66, S67).
  • It will be apparent to those skilled in the art that the present invention is susceptible to various alternatives and applications. In particular, the invention is not limited to executing an erase procedure of an operating system or program previously installed in the microcircuit. Indeed, although the deletion of such a program is envisaged, the microcircuit may operate throughout its life time with the same operating program.
  • The installation of applications in the microcircuit following the operating program installation is not required. The operating program installed in the microcircuit may itself include functions or applications allowing the microcircuit to perform certain transactions or to access a service.
  • Furthermore, according to the required degree of security, it may not be necessary to test the integrity of the operating program once it is installed in the microcircuit.

Claims (15)

1. A method of loading an operating program in a secure microcircuit, comprising the steps of:
downloading and installing in the microcircuit a boot program, which is launched upon activation of the microcircuit,
loading into the microcircuit initialization data including a first public key,
performing a mutual authentication procedure between the microcircuit and a first server having a private key corresponding to the first public key, and if the mutual authentication is successful, loading from the first server operating program profile data holding a second public key,
performing a mutual authentication procedure between the microcircuit and a second server having a private key corresponding to the second public key, and if the mutual authentication is successful, loading an operating program from the second server and installing it in the microcircuit, and
activating the operating program when it is in the microcircuit.
2. The method of claim 1, comprising the steps of:
performing a mutual authentication procedure between the microcircuit and a third server having a private key corresponding to a third public key held in the operating program profile data, and
if the mutual authentication procedure is successful, loading an application from the third server and installing it in the microcircuit, and/or loading user data in the microcircuit.
3. The method of claim 1, comprising the steps of:
performing a mutual authentication procedure between the microcircuit and a third server having a private key corresponding to a third public key held in the operating program profile data, and
if the mutual authentication procedure is successful, running a command for erasing the operating program and operating program profile data in the microcircuit, wherein the erase command is transmitted to the microcircuit from the third server, and placing the microcircuit in a state where it is ready to receive new operating program profile data from the first server.
4. The method according to claim 1, wherein the operating program profile data and/or the operating program are transmitted in encrypted form using a secret key shared between the microcircuit and the first and/or second server during mutual authentication.
5. The method according to claim 1, comprising a step of receiving by the microcircuit a signal for enabling a control mode wherein the microcircuit can receive commands from a server, including an operating program erase command.
6. The method of claim 5, wherein the activation signal of the control mode includes a sequence of several reset signals received during a period of time.
7. The method according to claim 1, comprising a step of checking the integrity of the boot program upon start-up of the microcircuit.
8. The method according to claim 1, wherein the installation of the operating program in the microcircuit is followed by an integrity check of the installed operating program, wherein the operating program is erased from the microcircuit if the integrity check fails.
9. A secure microcircuit configured by a boot program for:
loading into the microcircuit initialization data comprising a first public key,
performing a mutual authentication procedure between the microcircuit and a first server having a private key corresponding to the first public key, and if the mutual authentication is successful, loading from the first server operating program profile data holding a second public key, and
performing a mutual authentication procedure between the microcircuit and a second server having a private key corresponding to the second public key, and if the mutual authentication is successful, loading an operating program from the second server and installing it in the microcircuit, and
activating the operating program when it is in the microcircuit.
10. The microcircuit according to claim 9, configured by the operating program for:
performing a mutual authentication procedure between the microcircuit and a third server having a private key corresponding to a third public key held in the operating program profile data, and
if the mutual authentication is successful, receiving an application from the third server and installing it in the microcircuit, and/or loading user data in the microcircuit.
11. The microcircuit according to claim 9, configured by the boot program for:
performing a mutual authentication procedure between the microcircuit and a third server having a private key corresponding to a third public key held in the operating program profile data, and
if the mutual authentication is successful, receiving from the third server and executing a command for erasing the operating program and the operating program profile data from the microcircuit, and placing the microcircuit in a state where it is ready to receive new operating program profile data from the first server.
12. The microcircuit according to claim 9, configured by the boot program for receiving a signal for enabling a control mode, wherein the microcircuit can receive commands from a server, including an operating program erase command.
13. The microcircuit according to claim 12, wherein the control mode enable signal includes a sequence of a number of reset signals received during a period of time.
14. The microcircuit according to claim 9, configured by the boot program to control the integrity of the boot program at start-up of the microcircuit.
15. The microcircuit according to claim 9, configured by the boot program to control the integrity of the operating program once it is installed, and to erase the operating program from the microcircuit if the integrity check failed.
US14/192,114 2013-02-27 2014-02-27 Method of updating the operating system of a secure microcircuit Abandoned US20140244993A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR1351727 2013-02-27
FR1351727A FR3002671B1 (en) 2013-02-27 2013-02-27 METHOD FOR UPDATING THE SYSTEM FOR OPERATING A SECURE MICROCIRCUIT

Publications (1)

Publication Number Publication Date
US20140244993A1 true US20140244993A1 (en) 2014-08-28

Family

ID=48468551

Family Applications (1)

Application Number Title Priority Date Filing Date
US14/192,114 Abandoned US20140244993A1 (en) 2013-02-27 2014-02-27 Method of updating the operating system of a secure microcircuit

Country Status (3)

Country Link
US (1) US20140244993A1 (en)
EP (1) EP2772868B1 (en)
FR (1) FR3002671B1 (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9524388B2 (en) 2011-10-07 2016-12-20 Duo Security, Inc. System and method for enforcing a policy for an authenticator device
US9532222B2 (en) 2010-03-03 2016-12-27 Duo Security, Inc. System and method of notifying mobile devices to complete transactions after additional agent verification
US9544143B2 (en) 2010-03-03 2017-01-10 Duo Security, Inc. System and method of notifying mobile devices to complete transactions
US9608814B2 (en) 2013-09-10 2017-03-28 Duo Security, Inc. System and method for centralized key distribution
US9607156B2 (en) 2013-02-22 2017-03-28 Duo Security, Inc. System and method for patching a device through exploitation
US9641341B2 (en) * 2015-03-31 2017-05-02 Duo Security, Inc. Method for distributed trust authentication
US9762590B2 (en) 2014-04-17 2017-09-12 Duo Security, Inc. System and method for an integrity focused authentication service
US9774579B2 (en) 2015-07-27 2017-09-26 Duo Security, Inc. Method for key rotation
US9774448B2 (en) 2013-10-30 2017-09-26 Duo Security, Inc. System and methods for opportunistic cryptographic key management on an electronic device
US9930060B2 (en) 2015-06-01 2018-03-27 Duo Security, Inc. Method for enforcing endpoint health standards
US9979719B2 (en) 2015-01-06 2018-05-22 Duo Security, Inc. System and method for converting one-time passcodes to app-based authentication
US9996343B2 (en) 2013-09-10 2018-06-12 Duo Security, Inc. System and method for determining component version compatibility across a device ecosystem
US10013548B2 (en) 2013-02-22 2018-07-03 Duo Security, Inc. System and method for integrating two-factor authentication in a device
US10025600B2 (en) * 2015-10-02 2018-07-17 Google Llc NAND-based verified boot
US10348756B2 (en) 2011-09-02 2019-07-09 Duo Security, Inc. System and method for assessing vulnerability of a mobile device
US10412113B2 (en) 2017-12-08 2019-09-10 Duo Security, Inc. Systems and methods for intelligently configuring computer security
US11658962B2 (en) 2018-12-07 2023-05-23 Cisco Technology, Inc. Systems and methods of push-based verification of a transaction
US20240073002A1 (en) * 2022-08-31 2024-02-29 Micron Technology, Inc. Generating a shared secret for an electronic system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050071616A1 (en) * 2003-09-25 2005-03-31 Zimmer Vincent J. Use of common language infrastructure for sharing drivers and executable content across execution environments
US7499545B1 (en) * 2001-02-05 2009-03-03 Ati Technologies, Inc. Method and system for dual link communications encryption
US20090327741A1 (en) * 2008-06-30 2009-12-31 Zimmer Vincent J System and method to secure boot uefi firmware and uefi-aware operating systems on a mobile internet device (mid)
US20100217964A1 (en) * 2009-02-24 2010-08-26 General Instrument Corporation Method and apparatus for controlling enablement of jtag interface
US20130159021A1 (en) * 2000-07-06 2013-06-20 David Paul Felsher Information record infrastructure, system and method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060039564A1 (en) * 2000-11-17 2006-02-23 Bindu Rama Rao Security for device management and firmware updates in an operator network
JP2003216431A (en) * 2002-01-18 2003-07-31 Cec:Kk IC card operating system update system and IC card used for the system
US20120115455A1 (en) * 2004-07-26 2012-05-10 Bindu Rama Rao Secure bootstrap provisioning of electronic devices in carrier networks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130159021A1 (en) * 2000-07-06 2013-06-20 David Paul Felsher Information record infrastructure, system and method
US7499545B1 (en) * 2001-02-05 2009-03-03 Ati Technologies, Inc. Method and system for dual link communications encryption
US20050071616A1 (en) * 2003-09-25 2005-03-31 Zimmer Vincent J. Use of common language infrastructure for sharing drivers and executable content across execution environments
US20090327741A1 (en) * 2008-06-30 2009-12-31 Zimmer Vincent J System and method to secure boot uefi firmware and uefi-aware operating systems on a mobile internet device (mid)
US20100217964A1 (en) * 2009-02-24 2010-08-26 General Instrument Corporation Method and apparatus for controlling enablement of jtag interface

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9532222B2 (en) 2010-03-03 2016-12-27 Duo Security, Inc. System and method of notifying mobile devices to complete transactions after additional agent verification
US9544143B2 (en) 2010-03-03 2017-01-10 Duo Security, Inc. System and method of notifying mobile devices to complete transactions
US9992194B2 (en) 2010-03-03 2018-06-05 Duo Security, Inc. System and method of notifying mobile devices to complete transactions
US10129250B2 (en) 2010-03-03 2018-11-13 Duo Security, Inc. System and method of notifying mobile devices to complete transactions
US11832099B2 (en) 2010-03-03 2023-11-28 Cisco Technology, Inc. System and method of notifying mobile devices to complete transactions
US11341475B2 (en) 2010-03-03 2022-05-24 Cisco Technology, Inc System and method of notifying mobile devices to complete transactions after additional agent verification
US11172361B2 (en) 2010-03-03 2021-11-09 Cisco Technology, Inc. System and method of notifying mobile devices to complete transactions
US10706421B2 (en) 2010-03-03 2020-07-07 Duo Security, Inc. System and method of notifying mobile devices to complete transactions after additional agent verification
US10445732B2 (en) 2010-03-03 2019-10-15 Duo Security, Inc. System and method of notifying mobile devices to complete transactions after additional agent verification
US10348756B2 (en) 2011-09-02 2019-07-09 Duo Security, Inc. System and method for assessing vulnerability of a mobile device
US9524388B2 (en) 2011-10-07 2016-12-20 Duo Security, Inc. System and method for enforcing a policy for an authenticator device
US9607156B2 (en) 2013-02-22 2017-03-28 Duo Security, Inc. System and method for patching a device through exploitation
US10013548B2 (en) 2013-02-22 2018-07-03 Duo Security, Inc. System and method for integrating two-factor authentication in a device
US10248414B2 (en) 2013-09-10 2019-04-02 Duo Security, Inc. System and method for determining component version compatibility across a device ecosystem
US9996343B2 (en) 2013-09-10 2018-06-12 Duo Security, Inc. System and method for determining component version compatibility across a device ecosystem
US9608814B2 (en) 2013-09-10 2017-03-28 Duo Security, Inc. System and method for centralized key distribution
US9774448B2 (en) 2013-10-30 2017-09-26 Duo Security, Inc. System and methods for opportunistic cryptographic key management on an electronic device
US9998282B2 (en) 2013-10-30 2018-06-12 Duo Security, Inc. System and methods for opportunistic cryptographic key management on an electronic device
US10237062B2 (en) 2013-10-30 2019-03-19 Duo Security, Inc. System and methods for opportunistic cryptographic key management on an electronic device
US10021113B2 (en) 2014-04-17 2018-07-10 Duo Security, Inc. System and method for an integrity focused authentication service
US9762590B2 (en) 2014-04-17 2017-09-12 Duo Security, Inc. System and method for an integrity focused authentication service
US9979719B2 (en) 2015-01-06 2018-05-22 Duo Security, Inc. System and method for converting one-time passcodes to app-based authentication
US9825765B2 (en) * 2015-03-31 2017-11-21 Duo Security, Inc. Method for distributed trust authentication
US10116453B2 (en) * 2015-03-31 2018-10-30 Duo Security, Inc. Method for distributed trust authentication
US9942048B2 (en) * 2015-03-31 2018-04-10 Duo Security, Inc. Method for distributed trust authentication
US9641341B2 (en) * 2015-03-31 2017-05-02 Duo Security, Inc. Method for distributed trust authentication
US20170195123A1 (en) * 2015-03-31 2017-07-06 Duo Security, Inc. Method for distributed trust authentication
US9930060B2 (en) 2015-06-01 2018-03-27 Duo Security, Inc. Method for enforcing endpoint health standards
US10542030B2 (en) 2015-06-01 2020-01-21 Duo Security, Inc. Method for enforcing endpoint health standards
US9774579B2 (en) 2015-07-27 2017-09-26 Duo Security, Inc. Method for key rotation
US10742626B2 (en) 2015-07-27 2020-08-11 Duo Security, Inc. Method for key rotation
US10063531B2 (en) 2015-07-27 2018-08-28 Duo Security, Inc. Method for key rotation
US10025600B2 (en) * 2015-10-02 2018-07-17 Google Llc NAND-based verified boot
US10412113B2 (en) 2017-12-08 2019-09-10 Duo Security, Inc. Systems and methods for intelligently configuring computer security
US11658962B2 (en) 2018-12-07 2023-05-23 Cisco Technology, Inc. Systems and methods of push-based verification of a transaction
US20240073002A1 (en) * 2022-08-31 2024-02-29 Micron Technology, Inc. Generating a shared secret for an electronic system
US12381717B2 (en) * 2022-08-31 2025-08-05 Micron Technology, Inc. Generating a shared secret for an electronic system

Also Published As

Publication number Publication date
FR3002671A1 (en) 2014-08-29
EP2772868A1 (en) 2014-09-03
EP2772868B1 (en) 2017-12-06
FR3002671B1 (en) 2016-07-29

Similar Documents

Publication Publication Date Title
US20140244993A1 (en) Method of updating the operating system of a secure microcircuit
US9916574B2 (en) Secure computing device and method
CN106133739B (en) Security protection of loading of data into non-volatile memory of a secure element
KR102788533B1 (en) Electronic device performing firmware update based on user authentication and operating method thereof
US9009357B2 (en) Method and apparatus for field firmware updates in data storage systems
US20100325628A1 (en) Information processing device
US10162565B2 (en) Data erasure of a target device
KR101824249B1 (en) Method for managing electronic devices, for example, of integrated circuits type, having internal generation of a personal authetication key
CN114491682A (en) Virtual subscriber identity module and virtual smart card
CN108154025A (en) Method, the method and device of application program mirror image processing of embedded device startup
CN113885907B (en) A firmware upgrade system and method
CN118302990A (en) SRAM Physical Unclonable Function (PUF) memory for generating keys based on device owners
US20230273977A1 (en) Managing ownership of an electronic device
CN105187410A (en) Application self-upgrading method and system
KR102026279B1 (en) How to manage your application
CN113779587A (en) Secure start-up of electronic circuits
CN107851044B (en) Integrated circuit card adapted to transfer first data from a first application for use by a second application
KR102810973B1 (en) Network camera and method for providing security service thereof
US20150154393A1 (en) Electronic access-protection system, method of operating a computer system, chip card and firmware component
EP2985724B1 (en) Remote load and update card emulation support
US20250322041A1 (en) Managing ownership of an electronic device
US20250053657A1 (en) A provisioning control apparatus and method for provisioning electronic components or devices
CN111625836B (en) Trusted guiding method for entrance guard type electronic equipment
CN120602944A (en) A machine-card binding method, terminal device and computer-readable storage medium
CN118246039A (en) Protection of electronic devices

Legal Events

Date Code Title Description
AS Assignment

Owner name: INSIDE SECURE, FRANCE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CHEW, GARY;REEL/FRAME:032314/0949

Effective date: 20140214

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION